Add files via upload

.dockerignore

@@ -0,0 +1,2 @@
+node_modules
+npm-debug.log

.gitignore

@@ -0,0 +1,6 @@
+node_modules/
+docs/_book
+npm-debug.log
+vars.env
+package-lock.json
+.dev/

Dockerfile

@@ -0,0 +1,13 @@
+# Damn Vulnerable NodeJS Application
+
+FROM node:carbon
+LABEL MAINTAINER "Subash SN"
+
+WORKDIR /app
+
+COPY . .
+
+RUN chmod +x /app/entrypoint.sh \
+	&& npm install
+
+CMD ["bash", "/app/entrypoint.sh"]

Dockerfile-dev

@@ -0,0 +1,11 @@
+# Damn Vulnerable NodeJS Application
+# https://github.com/appsecco/dvna
+
+FROM node:carbon
+LABEL MAINTAINER "Subash SN"
+
+WORKDIR /app
+
+RUN npm install -g nodemon
+
+CMD ["/bin/bash", "/app/entrypoint-dev.sh"]

LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2023 Appsecco Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,150 @@
+# Damn Vulnerable NodeJS Application (DVNA)
+
+![dvna-logo](docs/resources/dvna.png)
+
+Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate [**OWASP Top 10 Vulnerabilities**](https://www.owasp.org/index.php/Top_10-2017_Top_10) and guide on fixing and avoiding these vulnerabilities. The [fixes](https://github.com/appsecco/dvna/tree/fixes) branch will contain fixes for the vulnerabilities. Fixes for vulnerabilities OWASssP Top 10 2017 vulnerabilities at [fixes-2017](https://github.com/appsecco/dvna/tree/fixes-2017) branch.
+
+The application is powered by commonly used libraries such as [express](https://www.npmjs.com/package/express), [passport](https://www.npmjs.com/package/passport), [sequelize](https://www.npmjs.com/package/sequelize), etc.
+
+## Developer Security Guide book
+
+The application comes with a **developer friendly comprehensive guidebook** which can be used to learn, avoid and fix the vulnerabilities. The guide is available at [docs](/docs) and covers the following
+
+1. Instructions for setting up DVNA
+2. Instructions on exploiting the vulnerabilities
+3. Vulnerable code snippets and instructions on fixing vulnerabilities
+4. Recommendations for avoid such vulnerabilities
+5. References for learning more
+
+The blog post for this release is at [https://blog.appsecco.com/damn-vulnerable-nodejs-application-dvna-by-appsecco-7d782d36dc1e](https://blog.appsecco.com/damn-vulnerable-nodejs-application-dvna-by-appsecco-7d782d36dc1e)
+
+You can setup a local gitbook server to access the documentation using the following commands. The documentation will then be accessible on [http://localhost:4000](http://localhost:4000).
+
+```bash
+cd docs/
+docker run --rm -v `pwd`:/gitbook -p 4000:4000 --name gitbook amontaigu/gitbook gitbook serve
+```
+
+## Quick start
+
+Try DVNA using a single command with Docker. This setup uses an SQLite database instead of MySQL.
+
+```bash
+docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite
+```
+
+Access the application at [http://127.0.0.1:9090/](http://127.0.0.1:9090/)
+
+## Getting Started
+
+DVNA can be deployed in three ways
+
+1. For Developers, using docker-compose with auto-reload on code updates
+2. For Security Testers, using the Official image from Docker Hub
+3. For Advanced Users, using a fully manual setup
+
+Detailed instructions on setup and requirements are given in the Guide Gitbook
+
+### 1. Development Setup
+
+Clone this repository
+
+```bash
+git clone https://github.com/appsecco/dvna; cd dvna
+```
+
+Create a `vars.env` with the desired database configuration
+
+```bash
+MYSQL_USER=dvna
+MYSQL_DATABASE=dvna
+MYSQL_PASSWORD=passw0rd
+MYSQL_RANDOM_ROOT_PASSWORD=yes
+```
+
+Start the application and database using `docker-compose`
+
+```bash
+docker-compose up
+```
+
+Access the application at [http://127.0.0.1:9090/](http://127.0.0.1:9090/)
+
+The application will automatically reload on code changes, so feel free to patch and play around with the application.
+
+### Using Official Docker Image
+
+Create a file named `vars.env` with the following configuration
+
+```bash
+MYSQL_USER=dvna
+MYSQL_DATABASE=dvna
+MYSQL_PASSWORD=passw0rd
+MYSQL_RANDOM_ROOT_PASSWORD=yes
+MYSQL_HOST=mysql-db
+MYSQL_PORT=3306
+```
+
+Start a MySQL container
+
+```bash
+docker run --rm --name dvna-mysql --env-file vars.env -d mysql:5.7
+```
+
+Start the application using the official image
+
+```bash
+docker run --rm --name dvna-app --env-file vars.env --link dvna-mysql:mysql-db -p 9090:9090 appsecco/dvna
+```
+
+Access the application at http://127.0.0.1:9090/ and start testing!
+
+### Manual Setup
+
+Clone the repository
+
+```bash
+git clone https://github.com/appsecco/dvna; cd dvna
+```
+
+Configure the environment variables with your database information
+
+```bash
+export MYSQL_USER=dvna
+export MYSQL_DATABASE=dvna
+export MYSQL_PASSWORD=passw0rd
+export MYSQL_HOST=127.0.0.1
+export MYSQL_PORT=3306
+```
+
+Install Dependencies
+
+```bash
+npm install
+```
+
+Start the application
+
+```bash
+npm start
+```
+
+Access the application at [http://localhost:9090](http://localhost:9090)
+
+## TODO
+
+- [ ] Link commits to fixes in documentation
+- [x] Add new vulnerabilities from OWASP Top 10 2017
+- [x] Improve application features, documentation
+
+## Contributing
+
+In case of bugs in the application, please create an issue on github. Pull requests are highly welcome!
+
+## Thanks
+
+[Abhisek Datta - abhisek](https://github.com/abhisek) for application architecture and front-end code
+
+## License
+
+MIT

docker-compose.yml

@@ -0,0 +1,23 @@
+# Damn Vulnerable NodeJS Application
+
+version: "2.1"
+services:
+  app:
+    build:
+      context: ./
+      dockerfile: Dockerfile-dev
+    ports:
+      - 9090:9090
+    volumes:
+      - .:/app
+    depends_on:
+      - mysql-db
+    env_file:
+      - ./vars.env
+
+  mysql-db:
+    image: mysql:5.7
+    expose:
+      - "3306"
+    env_file:
+      - ./vars.env

entrypoint-dev.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+chmod +x /app/wait-for-it.sh
+
+/bin/bash /app/wait-for-it.sh mysql-db:3306 -t 300 -- bash startup.sh

entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+chmod +x /app/wait-for-it.sh
+
+/bin/bash /app/wait-for-it.sh $MYSQL_HOST:$MYSQL_PORT -t 300 -- npm start

package.json

@@ -0,0 +1,36 @@
+{
+  "name": "dvna",
+  "version": "0.0.1",
+  "description": "Damn Vulnerable NodeJS Application",
+  "main": "server.js",
+  "directories": {
+    "doc": "docs"
+  },
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "start": "node server.js"
+  },
+  "author": "sns",
+  "license": "MIT",
+  "dependencies": {
+    "bcrypt": "^1.0.3",
+    "csurf": "^1.9.0",
+    "ejs": "^2.5.7",
+    "express": "^4.16.2",
+    "express-fileupload": "^0.4.0",
+    "express-flash": "0.0.2",
+    "express-session": "^1.15.6",
+    "flash": "^1.1.0",
+    "libxmljs": "^0.19.1",
+    "mathjs": "3.10.1",
+    "md5": "^2.2.1",
+    "morgan": "^1.9.0",
+    "mysql2": "^1.4.2",
+    "node-serialize": "0.0.4",
+    "passport": "^0.4.0",
+    "passport-local": "^1.0.0",
+    "sequelize": "^4.13.10",
+    "winston": "^3.0.0",
+    "x-xss-protection": "^1.1.0"
+  }
+}

server.js

@@ -0,0 +1,42 @@
+var express = require('express')
+var bodyParser = require('body-parser')
+var passport = require('passport')
+var session = require('express-session')
+var ejs = require('ejs')
+var morgan = require('morgan')
+const fileUpload = require('express-fileupload');
+var config = require('./config/server')
+
+//Initialize Express
+var app = express()
+require('./core/passport')(passport)
+app.use(express.static('public'))
+app.set('view engine','ejs')
+app.use(morgan('tiny'))
+app.use(bodyParser.urlencoded({ extended: false }))
+app.use(fileUpload());
+
+// Enable for Reverse proxy support
+// app.set('trust proxy', 1) 
+
+// Intialize Session
+app.use(session({
+  secret: 'keyboard cat',
+  resave: true,
+  saveUninitialized: true,
+  cookie: { secure: false }
+}))
+
+// Initialize Passport
+app.use(passport.initialize())
+app.use(passport.session())
+
+// Initialize express-flash
+app.use(require('express-flash')());
+
+// Routing
+app.use('/app',require('./routes/app')())
+app.use('/',require('./routes/main')(passport))
+
+// Start Server
+app.listen(config.port, config.listen)

startup.sh

@@ -0,0 +1,4 @@
+#! /bin/bash
+
+npm install
+nodemon